One in every 214 emails sent in South Africa last year was a spear-fishing attack. You need to keep improving your security to protect your business from these kinds of cyber-crimes.

The Hollywood Presbyterian Medical Centre and San Francisco Municipal Transport Agency were recently hit with ransomware attacks against their systems. The cyber criminals didn’t ask for an outrageous amount and didn’t steal data, but the potential was there.

The time that the systems were down is what caused the most damage, as patients’ and drivers lives were at risk. “Although the actual ransom can be a small amount for large organisations, in terms of downtime, reputational risk and top-line revenue, it can cause substantial damage to any business,” says Marc Sorel, one of the leaders of McKinsey’s Cyber Solutions.

As the world becomes more digitised, the cyber threat grows rapidly. Not only do businesses have to worry about data being stolen and the amount of the ransom, but because your business had to effectively close for a period of time, you’ve lost momentum. This can cause businesses to struggle to maintain competitiveness and speed of innovation.

“But needing to plan out cyber security in a way that doesn’t slowdown digitisation and innovation is difficult,” says Dayne Myers leader of McKinsey’s Cyber Solutions. Otherwise, although you’ve protected your business from a cyber-attack, you’ve left yourself open to become stagnant, uncompetitive and disrupted by yours or other industries.

DO YOU KNOW?

Companies understand that just because cyber-attacks have been in the headlines, it doesn’t mean that criminal activity is suddenly more prominent. It’s something that is being more glaringly exposed, which is why businesses continue to focus on the analysis around potential threats.

You can use secure enterprise architecture to incorporate security measures into the design of your IT architecture, instead of adding it as an afterthought. Here are four principles you need to take into account when implementing secure enterprise architecture:

1. Align your business domain with your security requirements

Your traditional IT architecture is structured along a business’ domain that are based on business processes. For example, in a retail business these domains would include the supply chain or store management, according to McKinsey.

On the other hand, an optimised IT architecture will reflect both business systems and the risk exposure of assets and systems in each domain. When your security is built into the architecture it becomes an integral part of it, instead of adding complexity.

You need to consider your cyber security as a business issue not specifically a technology issue.

“That’s generally not sufficient to understand and manage the risk,” says Dayne Myers. “We’ve been advising companies to make that leap to make it a business issue, and to look at the tech within the ecosystem of the business as a whole.”

2. Build toward modularity

You need to be able to adjust one domain without it affecting the security level of other domains. This modular structure offers your business security throughout multiple sectors to ensure you reduce the amount of cyber-attacks that occur within a specific domain.

“Insider threats are growing and your adversaries have devised attack methods in which they penetrate a network in multiple small steps over a period of weeks or even months,” says McKinsey. There are two distinct advantages of dividing your network into security domains:

1. It creates boarders inside your network where traffic can be monitored to prevent something from infiltrating into more than one domain.
2. Anomalies within a bordered domain are easier to pinpoint and monitor compared to changes happening across the whole network.
3. Isolate matching capabilities

You’ll need to group similar process activities at the same capability level. For example, by matching up customer management and account management, you can make your cyber security architecture manageable and secure.

“The capability level is used to assess the risk exposure of assets and processes and to specify adequate and consistent levels of security requirements,” according to McKinsey. This allows you to define security domains to create protection for assets that have similar risk exposure across the architecture.

4. Integrate throughout the supply chain

By using defined security domains and mapping assets end-to-end, allows you to determine with your business partners what level of security is required at each cross-organisational information port. McKinsey reports that this also serves to reduce the number of point-to-point links and drives trading-partner integration through well-defined and more easily protected APIs.

Attention to detail is vital when negotiating supply-chain integration, and shouldn’t be considered an added layer of complexity. Cyber attackers will always look for the weakest link in the chain.

Businesses around the world are facing a growing variety of cyber threats, all of which could cause dire consequences even to the largest conglomerate. To build large walls around your business could seem like the right solution, however, according to McKinsey this could impede your innovation, functionality and lead to new vulnerabilities within your company.

Your business needs to instead implement a security approach that is aligned with your business strategy and supported by both your IT department and business leaders. This will allow your cyber security to become a part of your business instead of a security guard standing outside the premises. “Historically, security was the responsibility of many people part-time instead of a few people full-time,” says Marc Sorel.  “Cyber security just isn’t getting the attention that it needs and deserves, especially in things like upstream application development for the digital tools that the business wanted to create.”

Incorporating both your security and business strategy will offer you the added advantage of having your security processes growing and scaling with your business as your priorities change.

TAKE ACTION

During your transformational journey you’ll need a clear vision of your target, a solid road map for getting there, and a culture change to support the adoption journey. Here are a few steps you need to take along your digital transformation:

• Decide on a vision – Your architecture can only be developed alongside your business strategy, so you need direction to begin with.
• Create a strategy – Start at the important, technically advanced areas and work out from there.
• Encourage usage – Incorporate security adoption into your company culture to ensure usage

Resources:

• http://www.mckinsey.com/business-functions/digital-mckinsey/our-insights/staying-ahead-on-cyber-security
• http://www.mckinsey.com/business-functions/digital-mckinsey/our-insights/protecting-the-enterprise-with-cybersecure-it-architecture
• https://www.payu.co.za/press-room/sa-companies-under-cyberattack